Johnson & Johnson Warns Insulin Pump Owners They Could Be Killed By Hackers

from the internet-of-broken-things dept

Initially the lack of security on "smart" Internet of Things devices was kind of funny as companies rushed to make a buck and put device security on the back burner. And while hackable tea kettles and refrigerators that leak your Gmail credentials just seem kind of stupid on the surface, people are slowly realizing that at scale -- we're introducing millions of new attack vectors into homes and businesses annually. Worse, compromised devices are now being used as part of massive new DDoS attacks like the one we recently saw launched against Brian Krebs.

Unfortunately, companies that service the medical industry also decided a few years ago that it would be a good idea to connect every-damn-thing to networks without first understanding the security ramifications of the decision. As a result, we're seeing a rise in not only the number of ransomware attacks launched on hospitals, but a spike in hackable devices like pacemakers that could mean life and death for some customers.

Another new case in point: Johnson and Johnson this week had to reach out to owners of the company's insulin pumps to warn them that the devices could be used to kill somebody by overdosing diabetic patients with insulin. According to researchers, the devices were launched with wireless connectivity in 2008 as a means of bringing added convenience for customers, but Johnson and Johnson failed to encrypt the device's wireless traffic:

"The Animas OneTouch Ping, which was launched in 2008, is sold with a wireless remote control that patients can use to order the pump to dose insulin so that they do not need access to the device itself, which is typically worn under clothing and can be awkward to reach. Jay Radcliffe, a diabetic and researcher with cyber security firm Rapid7 Inc, said he had identified ways for a hacker to spoof communications between the remote control and the OneTouch Ping insulin pump, potentially forcing it to deliver unauthorized insulin injections."

As with pacemakers, an attacker needs to be relatively close to make this happen (25 feet), resulting in Johnson and Johnson insisting the overall risk was low:

"The probability of unauthorized access to the OneTouch Ping system is extremely low," the company said in letters sent on Monday to doctors and about 114,000 patients who use the device in the United States and Canada. "It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network."

That's not really comforting. While this particular hack was publicized and fixed, there's a growing zero-day exploit market for medical device vulnerabilities that can be used to kill or injure an individual without detection, something that's going to be increasingly attractive to nation state actors and private contractors using the Internet of Things for globally malicious (and in some instances potentially fatal) activity. The rise in hackable medical devices has forced the FDA to issue formal guidance on how medical device makers should handle reports about cyber vulnerabilities.

In this case it appears that Johnson and Johnson was cooperative with Rapid7, but as we've noted previously, the lion's share of internet-of-broken-things companies tends to respond to researcher vulnerability reports with stone-cold silence.

Reader Comments

Dude, you're conflating two related, but distinct things in this article. The insulin pumps are NOT IoT devices, yet you use their security issues to further the message that IoT will be the death of us all. You need to be better than this.

Re:

I agree. The issue here is insecure short range wireless communication, and has absolutely nothing to do with the internet or the internet of (broken) things. The quote from the company states that very, very, very clearly.

It brings up a more complex issue, specifically simple remote controls which have been made for years and likely have little or no real security on them. 10 years ago (when this insulin device was developed) it's very likely that nobody considered short range "hacks".

It's a good story - but it's not about IoT at all. Seems like just an excuse to bang the drum again.

Re: Re:

Yes, this story features a device that is not an IoT device. However, it does very directly concern IoT devices in that the only real difference is that IoT devices are easier to access, therefore in devices that differ only in their connectivity being local versus IoT, the IoT devices are more dangerous.

Re:

They are more similar than one might think.The same sort of mindset appears in both things, a rush to we can do this and next to no thought in what happens when you do that.

Adding new connectivity to anything without considering the bad ramifications is a stupid way to handle things. While you have to be within 25ft to spike the insulin pump, one could probably build a small device that just keeps sending out the codes as they walk around.

While the insulin pump wasn't directly connected to the IoT, there are heart monitors and other devices that are... and lacking even the most basic security.

There is/was a brand of medical monitor used in hospitals, and for some reason they stuck a user accessible USB port on the front and imagine that people kept plugging things in and some of them got hacked.

These aren't just cameras so you can watch your pet at home, these are medical devices that can harm users and no one has said we need even a minimum amount of security required by law. They think that somehow the free market will spend money on security rather than on the math equation of how much a settlement will be for the lawsuit.

Re:

The 25 foot range means that you can't hack the device directly from Russia. But what about indirectly?

Walk into any crowd and you're surrounded by countless internet-connected Wi-Fi and Bluetooth transceivers. Software-defined radios - limited by software to a given function and frequency but able to do far more - are becoming common.

Re: Re:

Umm, quite simply, it's not an internet device at all. It's not an IP device. It's a remote control (think remote control on your TV). Generally those use very low power radios in one of a very few frequency bands. They are not near to or in the range of wifi.

Read the article closely - you need to be within a very small distance with a device that can emit the correct frequency and codes for that particular insulin pump.

There is no internet story here, except that you are reading the story online.

Re: Re:

In fact, the device operates in the 902–928 MHz range, which is the edges of the cellular bands. So no, no wifi issue here, no remote access, no russian hackers remotely blowing up patients with too much insulin...

Re: Re: Re: Re:

As I mentioned, I'm worried about software-defined radios (SDRs). Able to cover many bands and protocols, but limited only by software.

There's already many commercially available models for professionals, radio amateurs and home use. With popular cell phones needing to handle a variety of protocols (GSM, CDMA, UMTS, CDMA 2000, LTE) and a variety of bands varying by carrier and country, what are the chances that some of them - and other devices - are already using SDRs?

Re: Re: Re:

"In fact, the device operates in the 902–928 MHz range, which is the edges of the cellular bands. So no, no wifi issue here"

...unless you have devices that connect to both the specified range and wifi, or the specified range and 3/4G or the specified range and a wired connection, etc. Even if such devices weren't commercially available, a determined person could certainly create one.

The risk is slim and abuse unlikely, but it's funny how in trying to explain away why there's no problem, you identify the exact places where the risk exists. It's probably a concern over nothing, but the risk exists and it's the same risk that exists with IoT devices, albeit on a much more localised scale.

Re: Re: Re: Re:

"unless you have devices that connect to both the specified range and wifi, or the specified range and 3/4G or the specified range and a wired connection, etc. Even if such devices weren't commercially available, a determined person could certainly create one."

Please pay attention Paul - it's a bi-directional communication. it doesn't matter how much you turn up the INCOMING power, the device replying has a range of a few feet. It's not in the wifi band, it's in a band just near cellular generally reserved for low power remote controls and similar devices.

The risk here as a general concept is very small. This is one of those "proof of concept" hacks, but one that is fairly hard to implement. You need to find a target with the right device (pretty rare), you need to get very, very close to them (less than 10 feet to have a chance, less than a couple of feet to get reasonable communication speed), figure out which of 16 channels they are on, establish communications, and then you have to trigger the burst of insulin, which the subject still has the potential to override on the unit they are wearing.

Someone who is very determined might be able to do something with such a hack, but it's not comparable to internet connected devices with poor or non-existent security.

Re: Re: Re: Re: Re:

"It's not in the wifi band, it's in a band just near cellular generally reserved for low power remote controls and similar devices"

Indeed. So, continue reading and address the rest of the point.

"The risk here as a general concept is very small"

Exactly as I said above. But, just because a risk is small that does not mean it's not worth considering or comparable to situations with similar but higher risks. You do have a habit of repeating the things that someone else has said in the article or comments in a tone that tries to imply it's an original point.

It is pretty tiresome. You ignored part of my point, restated part of it and failed to address why you disagree with the rest of what you bothered to acknowledge. You've said a lot of words and, as usual, said absolutely nothing.

Re: Re:

Kill someone remotely from 25 feet and you can be a long way away before it's even realised that the insulin pump didn't simply malfunction, but was manipulated.

Assuming it can be determined the pump was manipulated. Which isn't a given.

Insulin pumps have two delivery modes:

Bolus, which is used to deliver a large dose of insulin - for example to correct for high blood sugars or to dose for carbs in a meal;

Basal, which is a slow, continuous dosage intended to keep blood sugars level over time. _and_ which, on this model of pump, can be automatically by adjusted based on time of day.

So, all you realistically would need (in theory) would be line of sight, since the 25' limitation is a bluetooth spec limitation and not a hard and fast physical limitation, and to know what time the person typically goes to bed.

Re: Re: Re:

Again, you need 25 feet or less, no obstructions, and you need to know exactly what channel the pump is on, then you need to communicate with it, and then you could launch an attack.

First, however, you would have to find someone actually using one in public, with the "remote access" feature activated.

Is it possible? Sure. Likely? not really. It's not at all internet related, it's just a malfunction in the way the remote operates. It's not close to an IoT issue, as this is nearly a 10 year old design (long before IoT was even a thing).

Re:

I would think a hacker with murderous intent would be much more likely to use a weapon, not a computer.

A weapon is a state of mind, not an object. You can be beaten to death with the (trivially) detachable seatbelt on an airplane if you put your seatmate in a mind to do so.

An insulin pump is no different. It would, however, be damn near impossible to prove or identify after the fact. There's no such thing as "insulin poisoning", there's just "hypoglycemia, resulting in unconsciousness, followed by death" if not caught in time.

It seems to me that there is an acceptable approximation of a solution...

One that would work fairly rapidly. The only drawback is that it would require the government to actually do its job, so it is fairly unlikely to be used.

First off, create a portal through which researchers, hackers et al could officially notify companies of security flaws in their products. Give users blanket indemnity for the act of using it - can't sue/prosecute anyone for giving the notification or steps taken to discover the vulnerability that would not be illegal beyond legislation that makes those acts themselves illegal, kidnapping and torturing company executives would remain illegal but cracking a password would not -and make the time/date stamps on the notifications legal proof positive that the company was notified. Then give the company a short but reasonable period of a few weeks to fix/notify users of the issue and then make them legally liable, with an expedited trial process, for any and all subsequent losses, with multiple damages if the company cannot demonstrate reasonable effort to mitigate the problem.

Also, remove the corporate veil for boards and managers that allow/motivate their companies to ignore such problems.

According to a quick Google conversion this means 7,62 meters or roughly medium sedans. A targeted attack would be incredibly easy at such distance not to mention some ill intentioned person could simply set up a device to constantly issue 'kill' orders for some of those medical devices and just walk around. Because humans don't need reasons to be evil.

Low risk? How low was the risk of a terabit DDoS attack when this IoT thing started?

Re:

Not really true.

Because different devices use both different frequencies and different communication protocols, a "kill" beacon approach just wouldn't work out. The device in question here can operate on one of 16 different channels, in the 902–928 MHz frequency range.

Best case scenerio you need to be within three feet (arms length) for half a second, checking 16 different channels and negotiating whatever protocol might be required... worst case you are 9 feet away (less than 2 office cubicals) and the person needs to stay in that range for upwards to 10 seconds. Even the slowest of walkers would blow both of those scenarios away pretty quickly.

Moreover, how many people are walking around with these devices anyway? You might set a device up in central station in New York and only have a single person walk through the building in a day with one - or even one per week for all you know. It would only be a decent random attack if you were, say, hanging around a diabetic clinic or something similar. Otherwise, you would be wasting time.

Now devices that are internet connected, well, different story - but that is clearly NOT this story.

Re: Re:

Dude, I could build said device. There are plenty of modular and cheap ways to do it. Arduino comes to mind.

Moreover, how many people are walking around with these devices anyway? You might set a device up in central station in New York and only have a single person walk through the building in a day with one - or even one per week for all you know. It would only be a decent random attack if you were, say, hanging around a diabetic clinic or something similar. Otherwise, you would be wasting time.

So? Twist things as much as you like, add technical statistics as much as you like, it doesn't change anything. Would you feel comfortable if you were wearing a device that could kill you if some determined "enemy" wanted without trace? It doesn't help the ones that use it and are targeted by somebody. Even if the 'casual' attacker scenario is unlikely, a targeted attack is very, very easy.

I saw you going out of your way to protect the company. Are you in their payroll or something?

Re: Re: Re:

"Even if the 'casual' attacker scenario is unlikely, a targeted attack is very, very easy."

Exactly, he seems to be ridiculing one scenario, but forgets the others. He's intent on addressing the idea of a random terrorist act, but forgets the possibility of it being used for a targeted assassination. As ever, he's able to grasp a small part of the point but misses what everyone else is actually talking about in his scramble to act superior.

What's funny is, in his attempts to wave away the idea that these thinks can be exploited in the wild, he's researched all the details needed to construct an attack.

"I saw you going out of your way to protect the company. Are you in their payroll or something?"

If anyone pays him to post here, they need a refund for the low quality work it produces.

I don't know about other people, but the number of people who come within a 25' radius of me in a given day is about... actually, I don't know, but it's likely in the thousands. I ride public transit, and the trains get pretty packed.

So in this case, the range isn't an issue for an attacker.

Next, we move to opportunity. Well, since I've already noted that thousands of people have opportunity via range, we have to think about who has the necessary equipment to pull this off. I don't know what wavelength these remotes operate on, but my guess is that it's in the medical devices range, which just happens to be shared by some pretty ubiquitous technology, including cheap software defined radio equipment.

So then we've got motive: since we live in a world where SWATting is a thing, "for kicks" is a motive, with no specific target needed. State-actor attacks are also a possibility, as there's no way to trace the attacker with a device like this. So even if they have a log indicating that some remote device gave the command to boost insulin production, there's no way to identify the remote device used, after the fact.

So: you could have a person with a device like this just traveling a subway system. You could have a state actor set up the device somewhere that they know the target is going to be within 25' of at some point. Or, you can have someone remotely hack into a mobile device containing both internet access and an SDR, and program it to broadcast the signal 24/7, unknown to the device owner.

And what does this have to do with IoT? Well, it's not about how the technology can be abused so much as it's about the mindset behind developing tools in the first place -- communications security is not a priority, and sometimes not even discussed.

Unlike the banking industry, where a statistical model is used that optimizes the amount of security applied to protecting data (sometimes it's cheaper to suffer attack than to protect against it in the first place), in the medical field, a successful attack can result in individual death or suffering. This means that the security protection bar should be set orders of magnitude higher. And yet, it isn't. The same profit/loss model is used, when a model is used at all. THIS is the problem.

The dwindling options for those of us who don't want smart (stupid) devices like TVs has been frustrating, but is downright scary when it comes to medical devices.

I have been in a power wheelchair for most of my life and am currently in the process of buying a new one. While going over options with the sales rep, he got all excited to tell me about this new feature where the chair's controller could interface with my PC via bluetooth and double up as a mouse!

I looked blankly at the guy and said, "Please tell me this is optional."

Thankfully it is... for now.

He was utterly baffled as to why I would not want the chair I'm 100% reliant on for mobility and independence to be connected to my PC. Why wouldn't I want the on board computer system that runs the chair talking to my desktop; and therefore, indirectly, the net? Gee, I can't think of any logical reason.

Additionally, he could tell me nothing about the security of the wireless connection - although nothing would make the risk worth it for me. As it is, I worry some components for this will still be present regardless of me not choosing this option.

The Paradigm and Animas devices are each other's fiercest competitors.

2011: Jay Radcliffe exploits security vulnerabilities in the Paradigm device. He can KILL you REMOTELY. He gives a talk and demonstrates the exploit at Black Hat.

AT BLACK HAT.

The mainstream media ride this story into the ground in the cataclysmic fashion only the mainstream media can.

Meanwhile: Medtronic is suing Johnson & Johnson for patent infringement. The patents being infringed are for the Paradigm device. The device claimed to be infringing is the Animas device. Medtronic is literally accusing J&J of COPYING the thing. COPYING.

2016: Jay Radcliffe hacks the Animas device using a similar exploit. He can KILL you REMOTELY.

So....what this means is that in the 5 intervening years, nobody at J&J thought, "Hrm. Maybe we should check out the security of that device we make with the patents we stole from that other device that wasn't secure."

They probably did

Unfortunately, companies that service the medical industry also decided a few years ago that it would be a good idea to connect every-damn-thing to networks without first understanding the security ramifications of the decision.

I suspect that they actually did consider the ramifications. And, as any business (or anyone else in general for that matter) should, they probably did a cost benefit analysis. Cost of implementing proper security vs cost of not implementing proper security (e.g. law suits). And they probably came to the conclusion that it was more costly to implement proper security than not.